Vendor Risk & BAAs June 8, 2026 8 min read

HIPAA Vendor Contracts: What Every Practice Must Know

By Sam Cherkaoui, CIPP/US Certified Data Privacy Advisor

Quick Answer

BAAs are mandatory before sharing PHI: Under 45 CFR § 164.502(e)(1), a covered entity cannot disclose protected health information to a vendor without a signed business associate agreement that meets the requirements of 45 CFR § 164.504(e), including a right to terminate if the vendor violates a material term.
The obligation extends to your vendor's subcontractors: Under 45 CFR § 164.504(e)(2)(ii)(D), your vendor must require any subcontractor that creates, receives, maintains, or transmits PHI to agree to the same restrictions, meaning gaps downstream can create exposure traceable back to your practice.
Breach notification has a hard deadline: Under 45 CFR § 164.410(b), a business associate must notify you of a breach no later than 60 calendar days after the vendor discovers it, and the clock runs from the vendor's discovery date, not from the date of notification to you.
Enforcement targets both covered entities and business associates directly: OCR settled with CHSPSC LLC for $2,300,000 in 2020 for a breach affecting more than 6 million individuals, and OCR's ongoing Ransomware Enforcement Initiative has produced settlements in 2025 and 2026 targeting vendors across multiple industries.
Start with a risk analysis: Under 45 CFR § 164.308(a)(1)(ii)(A), a HIPAA Security Rule risk analysis is the foundation for identifying which vendors need BAAs and what security terms those agreements must include.

Quick answer

Under 45 CFR § 164.502(e)(1), a covered entity cannot share protected health information with any vendor without a signed business associate agreement (BAA) meeting specific HIPAA requirements, including termination rights, subcontractor obligations, and security incident reporting. Missing or defective BAAs have cost healthcare organizations settlements from $350,000 to $2.3 million, and Texas practices face a second layer of exposure under Texas Health and Safety Code Chapter 181 and active state AG enforcement. The foundation for all of it is a current HIPAA Security Rule risk analysis that maps which vendors touch PHI.

If your practice routes claims through a clearinghouse, stores records in a cloud EHR, pays a billing company to manage revenue cycle, or uses an IT management firm that can access patient data, you have business associate relationships governed by federal HIPAA rules and Texas law. Getting the contracts right is a legal requirement with financial consequences, not administrative overhead.

The enforcement record reinforces this point. OCR collected over $8.7 million in settlements in 2024, and Texas AG Ken Paxton has opened multiple high-profile investigations of vendor breaches affecting millions of Texans. The rules have not changed fundamentally, but enforcement has intensified and the proposed HIPAA Security Rule updates published in January 2025 would add new vendor verification obligations if finalized.

What does a HIPAA-compliant BAA actually require?

Under 45 CFR § 164.504(e), a business associate agreement must describe permitted uses of PHI, require the vendor to keep PHI confidential, and authorize the covered entity to terminate the contract if the business associate violates a material term. That termination right is mandatory, not optional.

The BAA must also address the entire subcontractor chain. Under 45 CFR § 164.504(e)(2)(ii)(D), your vendor must require any subcontractor that creates, receives, maintains, or transmits PHI to agree to the same restrictions. This is where many practices have gaps. The 2023 MedEvolve settlement illustrates the problem directly. OCR found that MedEvolve, a revenue cycle management vendor, had failed to enter into a BAA with one of its own subcontractors, and an FTP server containing the PHI of 230,572 individuals was left open on the internet. The settlement cost MedEvolve $350,000. For the practices using that vendor, the lesson is plain: your vendor’s subcontractor gaps can create compliance exposure traceable back to you.

The HIPAA Security Rule adds a separate, independent layer beyond the Privacy Rule BAA requirements. Under 45 CFR § 164.314(a)(2)(i), the BAA must require the business associate to report any security incident to you, including breaches of unsecured electronic PHI. Under 45 CFR § 164.410(b), the vendor must notify you without unreasonable delay and no later than 60 calendar days after discovering the breach. The 60-day clock runs from the vendor’s discovery date, not the date the vendor informs you. If a vendor sits on a breach for 45 days before notifying you, your own notification deadline to affected individuals may be only 15 days away.

Cloud vendors are not exempt. HHS OCR guidance confirms that a cloud service provider handling ePHI on behalf of a covered entity is a business associate and must sign a BAA before any data is stored or processed. This applies even when the vendor handles only encrypted data and holds no decryption key. There is no conduit exception for cloud storage. Any cloud system that stores or processes ePHI requires a signed BAA before the service goes live.

What happens when a BAA is missing or defective?

The enforcement record is specific. In 2016, OCR announced a $1,550,000 settlement with North Memorial Health Care of Minnesota after finding the organization failed to execute a BAA with a major contractor that had access to the PHI of approximately 9,497 patients, and also failed to conduct an organization-wide Security Rule risk analysis. That same year, OCR settled with Raleigh Orthopaedic Clinic for $750,000 after the clinic transferred X-ray films and PHI of 17,300 patients to a potential business partner without first executing a BAA, even though the transfer occurred in an exploratory context. Sharing PHI before a BAA is signed, at any stage of a vendor relationship, triggers enforcement.

Business associates carry direct liability too. OCR enforced directly against Catholic Health Care Services of the Archdiocese of Philadelphia for $650,000 in 2016 after a stolen mobile device compromised the PHI of 412 nursing home residents. In 2020, CHSPSC LLC, a business associate providing IT services to hospital affiliates, paid $2,300,000 to settle HIPAA Privacy and Security Rule violations arising from a breach affecting more than 6 million individuals. Vendors cannot assume their covered-entity clients absorb all liability.

HIPAA civil money penalties under 45 CFR § 160.404(b)(2) are structured in four tiers. Unknowing violations start at $100 per violation with a $1,500,000 annual cap. Willful neglect not corrected carries a minimum of $50,000 per violation with the same cap. Penalty amounts are inflation-adjusted annually. For a small Texas practice, a multi-violation finding can reach six figures even in the lower tiers.

The ransomware trend adds urgency. In May 2025, OCR settled with Comstar LLC following a ransomware breach affecting 585,621 individuals as part of OCR’s ongoing Ransomware Enforcement Initiative. In August 2025, OCR’s 15th Ransomware Enforcement Action targeted BST and Co. CPAs, a New York accounting firm acting as a HIPAA business associate, confirming that overlooked vendor categories like accounting and billing firms carry full BA obligations. Third-party incidents (attacks on vendors, not the practice itself) jumped 43% year-over-year in 2024, with average costs soaring 72% to $241,000, according to At-Bay’s 2025 InsurSec Report. Average ransomware severity reached nearly $500,000 in 2024.

The Change Healthcare ransomware attack, disclosed February 21, 2024, ultimately affected approximately 192.7 million individuals, making it the largest breach in U.S. healthcare history. Any Texas practice that used Change Healthcare’s clearinghouse services had a BA relationship and faced its own breach notification evaluation. The scale of that single vendor failure illustrates what a gap in vendor oversight can trigger across an entire ecosystem.

Are Texas practices facing additional vendor obligations?

Yes. Texas Health and Safety Code Chapter 181, the Texas Medical Records Privacy Act as amended by HB 300 effective September 1, 2012, runs parallel to HIPAA and applies directly to business associates handling PHI of Texas patients, regardless of where the vendor is headquartered. Texas civil penalties reach up to $250,000 per year per violation when PHI is used for financial gain, and those penalties can run simultaneously with federal OCR penalties from a single incident.

Texas HB 300 also requires Texas-specific privacy training for workforce members handling PHI, including employees of business associates operating in Texas. Small practices should confirm their BAAs require Texas-law-compliant training from vendors, not just generic HIPAA compliance training. Failing to include this obligation in a BAA is a common gap.

State enforcement is active. In February 2026, Texas AG Ken Paxton issued Civil Investigative Demands to Blue Cross Blue Shield of Texas and Conduent Business Services LLC following a breach at Conduent’s systems that exposed the PHI and personal data of approximately 4 million Texans, including Medicaid recipients. That investigation scrutinizes BCBS-TX’s vendor oversight practices directly, illustrating that any Texas covered entity can face AG attention when a vendor’s breach occurs.

In September 2024, the Texas AG settled with Pieces Technologies, a Dallas-based healthcare AI company, after finding the company made deceptive marketing claims about the accuracy of its AI product used by Texas hospitals. Practices contracting with AI healthcare vendors should require contractual accuracy representations and audit rights, since the vendor’s marketing claims about the product become part of your compliance risk profile.

For non-HIPAA vendors (website analytics tools, scheduling apps that do not handle PHI, marketing platforms), the Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, may require separate data processing agreements with processors. HIPAA-covered BA relationships are exempt from the TDPSA, but vendor relationships outside the HIPAA perimeter may now require a TDPSA-compliant processor contract specifying processing instructions, data type, and sub-processor obligations.

What is the proposed Security Rule update, and does it affect vendor contracts?

On January 6, 2025, HHS published a Notice of Proposed Rulemaking to strengthen the HIPAA Security Rule. The proposal would eliminate the current required vs. addressable distinction, making all implementation specifications mandatory. It would require a written technology asset inventory and network map updated at least every 12 months, and would require business associates to notify covered entities within 24 hours of activating a contingency plan.

For vendor management specifically, the NPRM proposes that covered entities verify, at least annually and upon each new BA relationship, that a business associate’s security measures protecting ePHI are in place and functioning. If finalized, this creates an affirmative verification obligation well beyond simply signing a BAA. As of June 2026, no final rule has been issued. The proposal includes a 180-day compliance window after any final rule, plus a separate transition period for modifying existing BAAs, which means that conducting a BAA inventory and gap assessment now is the practical approach before the compliance clock starts.

OCR’s Risk Analysis Initiative reinforces the urgency. As of April 2026, the initiative had produced four settlements totaling $1,165,000, every one involving failure to conduct an accurate and thorough risk analysis under 45 CFR § 164.308(a)(1)(ii)(A). A current risk analysis is what tells you which vendors handle ePHI, what controls the BAA should require, and how frequently vendor security should be reviewed. Without it, the rest of your vendor management program is built on incomplete information.

What to do next

The practical starting point is a complete vendor inventory paired with a current HIPAA Security Rule risk analysis. Without a clear picture of which vendors touch ePHI, and what risks those relationships carry, you cannot determine which relationships need BAAs, what security terms belong in each agreement, or where your subcontractor chain is incomplete. Our HIPAA Risk Analysis service covers vendor mapping, BAA gap identification, subcontractor chain review, and the documentation OCR looks for when it opens an investigation. Contact North Privacy Advisors to schedule an assessment before a vendor’s incident creates your compliance problem.

Last Updated: June 8, 2026

Frequently Asked Questions

Do I need a BAA with my cloud EHR or file storage vendor?

Yes. HHS OCR guidance confirms that a cloud service provider handling ePHI on behalf of a covered entity is a business associate and must sign a BAA before any data is stored or processed. This applies even when the vendor processes only encrypted data and holds no decryption key. There is no conduit exception for cloud storage vendors such as those using Google Drive, Dropbox, or AWS.

Can my practice share patient records with a new vendor before signing a BAA?

No. OCR settled with Raleigh Orthopaedic Clinic for $750,000 after it transferred X-ray films and PHI of 17,300 patients to a potential business partner before executing a BAA, even though the transfer occurred in an exploratory context. Sharing PHI with a vendor before a BAA is signed, at any stage, triggers enforcement risk.

What happens if my billing vendor or EHR subcontractor has a breach?

The 2023 MedEvolve settlement shows how a vendor's subcontractor gap creates exposure traceable back to the practice. OCR found that MedEvolve failed to execute a BAA with one of its own subcontractors, and an unsecured FTP server exposed the PHI of 230,572 individuals. Your BAA should require your vendors to maintain their own downstream BA agreements. Also, third-party incidents jumped 43% year-over-year in 2024, with average costs soaring 72% to $241,000, according to At-Bay's 2025 InsurSec Report.

Does Texas impose any requirements beyond HIPAA on vendor contracts?

Yes. Texas Health and Safety Code Chapter 181 runs parallel to HIPAA and applies directly to business associates handling PHI of Texas patients, regardless of where the vendor is headquartered. Texas HB 300 requires Texas-specific privacy training for workforce members handling PHI, including employees of business associates. A single breach can trigger federal OCR enforcement and Texas AG enforcement simultaneously, with Texas penalties reaching up to $250,000 per year per violation when PHI is used for financial gain.

What is OCR's Risk Analysis Initiative and does it affect small practices?

OCR's Risk Analysis Initiative is a targeted enforcement campaign focused on the requirement under 45 CFR § 164.308(a)(1)(ii)(A) to conduct an accurate and thorough assessment of risks to ePHI. As of April 2026, the initiative had produced four settlements totaling $1,165,000. In May 2025, OCR settled with Vision Upright MRI, a small California radiology provider, for $25,000, with OCR specifically stating that small providers must also conduct accurate and thorough risk analyses. Size is not a defense.

Are changes coming to HIPAA's vendor rules?

HHS published a Notice of Proposed Rulemaking on January 6, 2025 proposing significant Security Rule changes, including annual covered-entity verification that a business associate's security measures are functioning and a requirement for vendors to notify covered entities within 24 hours of activating a contingency plan. As of June 2026, no final rule has been issued. The proposed 180-day compliance window includes a transition period for BAA modifications, which means starting a BAA inventory now is the practical move.

Last updated: June 8, 2026. This article reflects current US HIPAA and state privacy law enforcement practice. NPA is not a law firm; for case-specific legal advice, consult licensed counsel in your jurisdiction.

Need help with HIPAA compliance or US data privacy law?

NPA helps small healthcare practices and small to mid-sized businesses build and maintain audit-ready compliance programs. CIPP/US certified. Houston-based, serving practices nationwide.

Book a Consultation